oasis_core_runtime/consensus/
keymanager.rs

1use std::{collections::HashMap, sync::Arc};
2
3use anyhow::Result;
4use thiserror::Error;
5
6use crate::common::{
7    crypto::{
8        signature::{Signature, SignatureBundle, Signer},
9        x25519,
10    },
11    namespace::Namespace,
12    sgx::EnclaveIdentity,
13};
14
15use super::beacon::EpochTime;
16
17pub mod churp;
18
19/// Context used to sign key manager policies.
20const POLICY_SIGNATURE_CONTEXT: &[u8] = b"oasis-core/keymanager: policy";
21
22/// Context used to sign encrypted key manager master secrets.
23const ENCRYPTED_MASTER_SECRET_SIGNATURE_CONTEXT: &[u8] =
24    b"oasis-core/keymanager: encrypted master secret";
25
26/// Context used to sign encrypted key manager ephemeral secrets.
27const ENCRYPTED_EPHEMERAL_SECRET_SIGNATURE_CONTEXT: &[u8] =
28    b"oasis-core/keymanager: encrypted ephemeral secret";
29
30/// Errors emitted by the key manager module.
31#[derive(Error, Debug)]
32pub enum Error {
33    #[error("invalid signature")]
34    InvalidSignature,
35}
36
37/// Key manager access control policy.
38#[derive(Clone, Debug, Default, PartialEq, Eq, cbor::Encode, cbor::Decode)]
39pub struct PolicySGX {
40    pub serial: u32,
41    pub id: Namespace,
42    pub enclaves: HashMap<EnclaveIdentity, EnclavePolicySGX>,
43    #[cbor(optional)]
44    pub master_secret_rotation_interval: EpochTime,
45    #[cbor(optional)]
46    pub max_ephemeral_secret_age: EpochTime,
47}
48
49/// Per enclave key manager access control policy.
50#[derive(Clone, Debug, Default, PartialEq, Eq, cbor::Encode, cbor::Decode)]
51pub struct EnclavePolicySGX {
52    /// A map of runtime IDs to the vector of enclave IDs that may query
53    /// private key material.
54    pub may_query: HashMap<Namespace, Vec<EnclaveIdentity>>,
55
56    /// A vector of enclave IDs that may retrieve the master secret.
57    ///
58    /// NOTE: Each enclave ID may always implicitly replicate from other
59    /// instances of itself.
60    pub may_replicate: Vec<EnclaveIdentity>,
61}
62
63/// Signed key manager access control policy.
64#[derive(Clone, Debug, Default, PartialEq, Eq, cbor::Encode, cbor::Decode)]
65pub struct SignedPolicySGX {
66    pub policy: PolicySGX,
67    pub signatures: Vec<SignatureBundle>,
68}
69
70impl SignedPolicySGX {
71    /// Verify the signatures.
72    pub fn verify(&self) -> Result<&PolicySGX> {
73        let raw_policy = cbor::to_vec(self.policy.clone());
74        for sig in &self.signatures {
75            sig.signature
76                .verify(&sig.public_key, POLICY_SIGNATURE_CONTEXT, &raw_policy)
77                .map_err(|_| Error::InvalidSignature)?;
78        }
79
80        Ok(&self.policy)
81    }
82}
83
84/// A secret encrypted with Deoxys-II MRAE algorithm.
85#[derive(Clone, Default, Debug, PartialEq, Eq, cbor::Encode, cbor::Decode)]
86pub struct EncryptedSecret {
87    /// Checksum for validating decrypted secret.
88    pub checksum: Vec<u8>,
89    /// Public key to derive the symmetric key for decryption.
90    pub pub_key: x25519::PublicKey,
91    /// A map of REK encrypted secrets.
92    pub ciphertexts: HashMap<x25519::PublicKey, Vec<u8>>,
93}
94
95/// Encrypted master secret.
96#[derive(Clone, Default, Debug, PartialEq, Eq, cbor::Encode, cbor::Decode)]
97pub struct EncryptedMasterSecret {
98    /// Runtime ID of the key manager.
99    pub runtime_id: Namespace,
100    /// Generation of the secret.
101    pub generation: u64,
102    /// Epoch time in which the secret was created.
103    pub epoch: EpochTime,
104    /// Encrypted secret.
105    pub secret: EncryptedSecret,
106}
107
108/// Encrypted ephemeral secret.
109#[derive(Clone, Default, Debug, PartialEq, Eq, cbor::Encode, cbor::Decode)]
110pub struct EncryptedEphemeralSecret {
111    /// Runtime ID of the key manager.
112    pub runtime_id: Namespace,
113    /// Epoch time to which the ephemeral secret belongs.
114    pub epoch: EpochTime,
115    /// Encrypted secret.
116    pub secret: EncryptedSecret,
117}
118
119/// Signed encrypted master secret (RAK).
120#[derive(Clone, Default, Debug, PartialEq, Eq, cbor::Encode, cbor::Decode)]
121pub struct SignedEncryptedMasterSecret {
122    /// Encrypted master secret.
123    pub secret: EncryptedMasterSecret,
124    /// Signature of the encrypted master secret.
125    pub signature: Signature,
126}
127
128impl SignedEncryptedMasterSecret {
129    pub fn new(secret: EncryptedMasterSecret, signer: &Arc<dyn Signer>) -> Result<Self> {
130        let signature = signer.sign(
131            ENCRYPTED_MASTER_SECRET_SIGNATURE_CONTEXT,
132            &cbor::to_vec(secret.clone()),
133        )?;
134        Ok(Self { secret, signature })
135    }
136}
137
138/// Signed encrypted ephemeral secret (RAK).
139#[derive(Clone, Default, Debug, PartialEq, Eq, cbor::Encode, cbor::Decode)]
140pub struct SignedEncryptedEphemeralSecret {
141    /// Encrypted ephemeral secret.
142    pub secret: EncryptedEphemeralSecret,
143    /// Signature of the encrypted ephemeral secret.
144    pub signature: Signature,
145}
146
147impl SignedEncryptedEphemeralSecret {
148    pub fn new(secret: EncryptedEphemeralSecret, signer: &Arc<dyn Signer>) -> Result<Self> {
149        let signature = signer.sign(
150            ENCRYPTED_EPHEMERAL_SECRET_SIGNATURE_CONTEXT,
151            &cbor::to_vec(secret.clone()),
152        )?;
153        Ok(Self { secret, signature })
154    }
155}